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SYSTEM AND METHOD FOR DOCUMENT ISOLATION 



TECHNICAL FIELD 



The present invention relates generally to the 



field of workflow management systems and, more 
5 particularly, to methods and systems for restricting 
access to documents and operations performed on those 
documents while being routing through a workflow. 



10 which traditionally have provided a mechanism to organize 
and control access to electronic documents, have been 
improved to facilitate workflow and document publishing. 
For example, document management systems now provide the 
capability to define a workflow template that specifies 

15 that a person or set of persons must review or approve a 
document before the document is made generally available. 
Such workflow templates are particularly useful in a 
document publishing environment where approval processes 
are commonplace. 

20 A particularly important operation in workflow 



BACKGROUND OF THE INVENTION 



Computer based document management systems. 
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systems is managing access to. documents as they move 
through various stages of a workflow. In a typical 
document -publishing scenario, significant time can elapse 
between creation of a document and final approval of the 
5 document for external viewing or publishing. For 

example, after an author revises an existing document and 
enters the revised document into a publishing workflow, 
several editors may need to review the document prior to 
the document receiving final approval for viewing by 

10 people outside the publishing group. It may take an 

extended period before the editors have an opportunity to 
review the document. In the meantime, it is necessary to 
restrict access to the revised document until it receives 
final approval. Indeed, it is necessary to restrict 

15 access to the document even if the editing process takes 
only short time. Editors should be given access to the 
new version of the document for purposes of editing and 
approving the document while those without approval 
authority should be given access to the original version 

20 of the document without revisions. Thus, it can be said 
that the original or "base" document and the revised 
document should be maintained separately, or "isolated" 
from each other and access given as appropriate to one or 
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the Other during the period that the document is . _ - 
undergoing approval in the publishing workflow. 

It is also necessary to control access to the 
publishing operations that may be performed on a document 
as it is routed through a workflow. For example, while a 
document may be checked-out for revision numerous times 
during the course of a workflow, at any given time, 
however, only specific sets of individuals should have 
permission to perform this operation. 

Thus, there is a need for systems and methods 
for controlling access to documents and operations to be 
performed on those documents while documents are routed 
through a workflow. Specifically, there is a need for 
systems and methods to "isolate" the base document from 
the revised document that is undergoing editing in a 
workflow. Users should selectively be directed to the 
appropriate version of the document that they are 
authorized to see. Further, users should selectively be 
permitted to perform operations on the documents. 
Preferably, the systems and methods are extensible to 
accommodate user-defined workflows and workflow 
operations . 
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SUMMARY OF THE INVENTION _ 



The present invention is directed toward 



systems and methods to address these needs. According to 
an aspect of the invention, when a revision is made to an 
5 original or "base" document and the revision placed in a 
workflow, a separate "working" copy of the base document 
is generated. As the document moves through the 
workflow, new versions of the "working" copy document may 
also be generated. Security controls , which define who 

10 may access the base document as well as any versions of 
the working copy document, are defined and stored in 
relation to the documents. The security controls 
further define the types of actions users may take with 
respect to the document. For example, the security 

15 controls may specify that a user should be given access 
to the working copy document as opposed to the base 
document and should have the capability to check-out the 
working copy of the document for revision. 



2 0 operation on a document during the period that the 

document is in the workflow, the security controls are 
referenced to determine whether the user has permissions 
to perform the operation as well as to which version of 



Upon receipt of a request to perform an 



4 
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the document the user should, be directed For ..example, a. 

user may desire to check-out a document for purposes of 
editing the document. The security controls associated 
with the document are referenced to identify to which 
version of the document the user should be directed as 
well as to determine whether the particular user may 
check-out the document for editing. 

In an embodiment of the invention, users are 
assigned roles and document security controls are 
defined in terms of these roles. For example, in a 
publishing workflow having an editing state and approval 
state, users might be assigned one of two different 
roles, reviewer and approver. During the editing state, 
the security controls might be defined to provide check- 
out capabilities to reviewers while denying check-out 
privileges to approvers. When the document enters the 
approval state, the security controls are defined to 
grant approvers check-out privileges while denying the 
same privileges to reviewers. 

As will be readily appreciated from the 
foregoing description, systems and methods in accordance 
with the invention facilitate controlling access to 
documents and the operations performed on those documents 
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during., periods, when the .document, is undergoing, revision, 
in a workflow. 

BRIEF DESCRIPTION OF THE DRAWINGS 

5 Other features of the invention are further 

apparent from the following detailed description of 
presently preferred exemplary embodiments of the 
invention taken in conjunction with the accompanying 
drawings, of which: 
10 FIGURE 1 is a block diagram of a general 

purpose computer system for implementing the present 
invention; 

FIGURE 2 is a block diagram illustrating a 
network architecture, in accordance with the present 
15 invention; 

FIGURE 3 is a block diagram illustrating 
representative modules of system software that operate in 
accordance with the invention; 

FIGURE 4 is a chart illustrating a workflow 
20 that may be facilitated by systems and methods in 
accordance with the present invention; 

FIGURE 5 is a table illustrating values for the 
access controls that may be maintained for a document as 

6 
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the document _ moves through _states_of a publishing _ _ _ _ 
workflow; 

FIGURE 6 is a flow diagram of a process for 
handling a user request to access a document in 
accordance with the invention; 

Figure 7 is a flow diagram of a process for 
handling a user request to perform a publishing operation 
on a document in accordance with the present invention; 

FIGURE 8 is a flow diagram illustrating the 
process for resolving whether a user should be granted 
permission to perform a publishing operation in 
accordance with the present invention; 

FIGURE 9 is an illustrative example of 
component parts of a security descriptor in accordance 
with the present invention; and 

FIGURE 10 is an illustrative example of 
component parts of an access control list in accordance 
with the present invention. 

DETAILED DESCRIPTION OF THE INVENTION 



OVERVIEW 

The present invention is directed to novel 
systems and methods for controlling access to 
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- information, -particularly documents. According to an 
aspect of the invention, when a revision is made to a 
document and the revision placed in a publishing 
workflow, a separate "working" copy of the original or 
5 "base" document is generated. As the document moves 

through the workflow, new versions of the "working" copy 
document may also be generated. Security controls, 
which are used to identify who may access the base 
document as well as to determine which version of the 

10 working copy document a user should be directed to if one 
exists, are defined and stored in relation to the 
documents. The security controls further define the 
types of actions users may take with respect to the 
document. For example, the security controls may be 

15 used in combination with information regarding the state 
of the document and the role of the user to identify that 
a user should be given access to the working copy 
document and should have the capability to check-out the 
working copy of the document for revision. 

20 Prior to explaining the details of the 

invention, it is useful to provide a description of a 
suitable exemplary environment in which the invention may 
be implemented. 
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EXEMPLARY OPERATING ENVIRONMENT 
1. A Computer Environment 

Figure 1 and the following discussion are 
intended to provide a brief general description of a 
suitable computing environment in which the invention may 
be implemented. Although not required, the invention 
will be described in the general context of 
computer- executable instructions, such as program 
modules, being executed by a computer, such as a 
workstation or server. Generally, program modules 
include routines, programs, objects, components, data 
structures and the like that perform particular tasks or 
implement particular abstract data types. Moreover, 
those skilled in the art will appreciate that the 
invention may be practiced with other computer system 
configurations, including hand-held devices, 
multi-processor systems, microprocessor-based or 
programmable consumer electronics, network PCS, 
minicomputers, mainframe computers and the like. The 
invention may also be practiced in distributed computing 
environments where tasks are performed by remote 
processing devices that are linked through a 
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communications network. In a distributed computing 
environment, program modules may be located in both local 
and remote memory storage devices. 

With reference to Figure 1, an exemplary system 
5 for implementing the invention includes a general purpose 
computing device in the form of a conventional personal 
computer 20 or the like, including a processing unit 21, 
a system memory 22, and a system bus 23 that couples 
various system components including the system memory to 

10 the processing unit 21. The system bus 23 may be any of 
several types of bus structures including a memory bus or 
memory controller, a peripheral bus, and a local bus 
using any of a variety of bus architectures. The system 
memory includes read-only memory (ROM) 24 and random 

15 access memory (RAM) 25. A basic input/output system 26 
(BIOS) , containing the basic routines that help to 
transfer information between elements within the personal 
computer 20, such as during start-up, is stored in ROM 
24. The personal computer 20 may further include a hard 

20 disk drive 27 for reading from and writing to a hard 
disk, not shown, a magnetic disk drive 28 for reading 
from or writing to a removable magnetic disk 29, and an 
optical disk drive 3 0 for reading from or writing to a 
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removable, optical disk 31 such as a CD-ROM. or other . 
optical media. The hard disk drive 27, magnetic disk 
drive 28, and optical disk drive 30 are connected to the 
system bus 23 by a hard disk drive interface 32, a 
5 magnetic disk drive interface 33, and an optical drive 
interface 34, respectively. The drives and their 
associated computer-readable media provide non-volatile 
storage of computer readable instructions, data 
structures, program modules and other data for the 

10 personal computer 20. Although the exemplary environment 
described herein employs a hard disk, a removable 
magnetic disk 2 9 and a removable optical disk 31, it 
should be appreciated by those skilled in the art that 
other types of computer readable media which can store 

15 data that is accessible by a computer, such as magnetic 
cassettes, flash memory cards, digital video disks, 
Bernoulli cartridges, random access memories (RAMs) , 
read-only memories (ROMs) and the like may also be used 
in the exemplary operating environment. Further, as used 

20 herein, the term "computer readable medium" includes one 
or more instances of a media type (e.g., one or more 
floppy disks, one or more CD-ROMs, etc.). 

A number of program modules may be stored on 

11 
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the hard disk, magnetic disk 29, ^optical .disk 31, ROM. 24 
or RAM 25, including an operating system 35, one or more 
application programs 36, other program modules 3 7 and 
program data 38. A user may enter commands and 
5 information into the personal computer 2 0 through input 
devices such as a keyboard 40 and pointing device' 42, 
Other input devices (not shown) may include a microphone, 
joystick, game pad, satellite disk, scanner or the like. 
These and other input devices are often connected to the 

10 processing unit 21 through a serial port interface 46 

that is coupled to the system bus, but may be connected 
by other interfaces, such as a parallel port, game port 
or universal serial bus (USB) . A monitor 47 or other 
type of display device is also connected to the system 

15 bus 23 via an interface, such as a video adapter 48. In 
addition to the monitor 47, personal computers typically 
include other peripheral output devices (not shown) , such 
as speakers and printers . 



20 networked environment using logical connections to one or 
more remote computers, such as a remote computer 49. The 
remote computer 4 9 may be another personal computer, a 
server, a router, a network PC, a peer device or other 



The personal computer 20 may operate in a 



12 
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common network node, and typically incLudes many or all 
of the elements described above relative to the personal 
computer 20, although only a memory storage device 50 has 
been illustrated in Figure 1. The logical connections 
5 depicted in Figure 1 include a local area network (LAN) 
51 and a wide area network (WAN) 52. Such networking 
environments are commonplace in offices, enterprise-wide 
computer networks, Intranets and the Internet. 

When used in a LAN networking environment, the 

10 personal computer 20 is connected to the local network 51 
through a network interface or adapter 53 . When used in 
a WAN networking environment, the personal computer 20 
typically includes a modem 54 or other means for 
establishing communications over the wide area network 

15 52, such as the Internet- The modem 54, which may be 
internal or external, is connected to the system bus 23 
via the serial port interface 46. In a networked 
environment, program modules depicted relative to the 
personal computer 20, or portions thereof, may be stored 

20 in the remote memory storage device. It will be 

appreciated that the network connections shown are 
exemplary and other means of establishing a 
communications link between the computers may be used. 
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- - 2 . A -Network Env-ironment -------- _ . . . . 

Figure 2 illustrates an exemplary network 
environment in which the present invention may be 
employed. Of course, actual network environments can be 
5 arranged in a variety of configurations; however, the 

exemplary environment shown here provides a framework for 
understanding the type of environment in which the 
present invention operates. 

The network may include client computers 2 0a, 
10 server computer 2 0b, and data source computers 2 0c. 

Client computers 2 0a and data source computers 2 0c are in 
electronic communication with the server computer 2 0b via 
communications network 80 which may be, for example, the 
Internet. Client computers 20a and data source computers 
15 2 0c are connected to the communications network by way of 
communications interfaces 82. Client computers 20a, data 
source computers 2 0c, and server computers 2 0a are 
computing systems such as, for example, the computer 
system described above with reference to Figure 1. 
20 Communications interfaces 82 can be any one of the well- 
known communications interfaces such as Ethernet 
connections, modem connections, and so on. 

Server computer 20b comprises server software 

14 
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that, operates as described in detail .below, .to control 
access to documents that are undergoing revision in a 
publishing workflow. The electronic documents that are 
under control of the server software may be located on 
5 server computer 2 0b, client computer 2 0a, or data source 
20c. Client computers 20a can access server computer 20b 
via communications network 80 to access documents which 
are being routed through a workflow and which are under 
control of server computer 2 0b. 

10 As will be readily understood by those skilled 

in the art of computer network systems, and others, the 
system illustrated in FIGURE 2 is exemplary, and 
alternative configurations may also be used in accordance 
with the invention- For example, server computer 2 0b may 

15 comprise a plurality of computing devices. Additionally, 
the client computer 20a and server computer 20b may be 
the same physical device. As discussed above, the client 
computer 2 0a and the server computer 2 0b may communicate 
through any type of communication network or 

2 0 communications medium. 

DETAILED DESCRIPTION OF SYSTEM AND METHOD FOR DOCUMENT 
ISOLATION 



15 
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.Figure 3 is a diagram. of software, modules of 



server software 100 that operate on server computer 20b 
in accordance with aspects of the invention. As shown, 
server software 100 comprises distributed authoring and 
5 versioning (DAV) server 110, publishing engine 112, 

security manager 114, versioning manager 116, and store 
area 118. 



information objects such as folders, documents, and role 
10 memberships as defined on the folders and documents. If, 
upon receipt of a request for a document, the requesting 
user has the appropriate permissions, store area 118 is 
accessed in order to retrieve the requested document. 



15 according to the DAV standard and forwards the requests 

to the appropriate system software component . DAV server 
is operable to field requests that are formatted to take 
advantage of the publishing capabilities of the system as 
well as those that do not. 

20 Publishing engine 112 provides the capability 

to create and maintain workflows. When a document is 
placed in a workflow, publishing engine 112 provides for 
routing the document to the appropriate persons in the 



Store area 118 operates as a repository for 



DAV server 110 receives requests formatted 



16 
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_workfl_ow template. . . _ 

Versioning manager 114 operates to create, 
maintain, and track versions of documents. During the 
period that a document is undergoing a publishing 
5 workflow, numerous versions of a document may be created, 
Versioning manager 114 controls the versioning during the 
publishing process. 

Security manager 116 provides for the creation, 
maintenance, and enforcement of restrictions on 
10 performing publishing operations. Thus, when it is 

desired to create a new publishing operation and define 
which roles may have access to them, security manager 116 
provides the needed functionality. Furthermore, when a 
request to perform a publishing operation is received, 
15 security manager 116 determines whether the particular 
user has been granted permissions to the operation. 

Generally, workflow templates may be used in 
the publishing environment to insure that a new document 
or a revision to an existing document is subject to a 
20 standard review procedure before it becomes generally 
available. For example, a manager of a testing 
department may desire to establish a document publishing 
workflow through which all test -plan documents must pass 

17 
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prior to being made generally available. During the . 
period that a new document or a revision to a document is 
undergoing editing and approval in the workflow template, 
those users that are not involved with the approval 
5 process should have access to the base document while 
those persons involved with the approval process should 
be directed to the latest version of the revised 
document. According to an aspect of the invention, 
access to the base document as well as any versions that 

10 may be created during a publishing workflow are 

controlled by placing read/write security controls on the 
documents. Similarly, permissions to perform a 
publishing operation are identified through security 
controls on the base document. 

15 Figure 4 illustrates an exemplary publishing 

workflow that may be implemented using systems and 
methods in accordance with the present invention. The 
workflow can be thought of as encompassing various stages 
or "states" through which a document passes. According 

20 to an aspect of the present invention, the version of the 
document that a user may access as well as the operations 
that the user may perform on a document while it is in a 
particular "state" is limited by the role that a user has 
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been granted. _ _ _ _ _ . . ~ - - 

According to the publishing workflow template 
illustrated in Figure 4, initially a document can be 
thought of as existing in a "create" state 220. While a 
document is in create state 22 0, a user, who may be 
referred to as the document owner, can checkout and 
revise a document. As noted in Figure 4, while the 
document is in create state 22 0, users that have been 
assigned roles applicable to the workflow, which in this 
example include reviewer and approver roles, do not have 
privileges to perform specialized publication operations 
on the document. When a document is checked-out by the 
owner during create state 220, users other than the 
owner, referred to collectively as "public users," cannot 
view the checked-out version of the document. If a 
public user attempts to access the document while it is 
checked-out, the user is redirected to the version of the 
document that existed prior to the document having been 
checked-out . 

While in create state 220, when the owner 
checks-in the document, a publishing workflow is invoked 
and the revised document enters "in-review" state 222. 
While a document is in in-review state 222, the document 
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owner as well as users that, have been . assigned . the - 

reviewer role may check-out the document for editing. In 
contrast, users that have been assigned the approver role 
may not check-out a document while it is in in-review 
5 state 222. Public users may not even see the new 

document but rather will be referred to the version of 
the document that existed prior to the owner checking-out 
the document. When all of the users with the reviewer 
role have accessed the document, the document is 
10 forwarded to "in-approval" state 226. 



22 6, users that have been assigned the approver role can 
check-out the document to review the document and, if 
appropriate, upon checking- in the document, acknowledge 

15 their approval of the document . The document owner and 
users that have been assigned the reviewer role do not 
have the capability to check-out the document while it is 
in-approval state 226. Public users do not even see the 
revised document but rather are referred to the version 

20 of the document that existed prior to the owner checking- 
out the document . 



While a document is in "in-approval" state 



When all of the users with the approver role 



have accessed the document, the document leaves the 



20 
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. pubLishing workf low -and- enters -"approved"- state -228 . - In - 
approved state 228, the public can access the revised and 
approved document , Users assigned the reviewer and 
approver roles have no special privileges once the 
document has been approved and has left the publishing 
workflow. The approved document may, thereafter, enter 
the create state 22 0 upon being checked out and revised. 

According to an aspect of the present 
invention, during the period that a document is in a 
publishing workflow, the system maintains a working copy 
document corresponding to the base document. Several 
versions of the working copy document may be created over 
the course of the publishing workflow. Users are 
selectively directed to the appropriate version of the 
document as specified by the workflow. Further, users 
are selectively granted the capability to perform 
publishing operations on the document undergoing a 
publishing workflow. 

Generally, access to documents and publishing 
operations that may be performed on those documents is 
controlled using security controls. For each base 
document there is defined a security descriptor and a 
publishing operation access control list (ACL) . 



150708.1 
MSFT-0178 

Generally, the security descriptor defines who may read 
and write to the document . The security descriptor plays 
an essential part in identifying to which version of a 
document a user should be directed. In particular, users 
are directed to the most recent version of a document to 
which they have been granted read access. For example, 
the security descriptors on a base document are evaluated 
in light of the publishing state the document is 
currently in and the user's role to determine if the user 
has access to the document at all, and, if so, whether 
the user should be directed to the base document or 
whether the user should be directed to the working copy 
document. Thus, it is possible to identify that the 
general public have read access to a base document while 
users that have been assigned the editor role are 
directed to the working copy document. 

The security controls of the present invention 
further comprise a publishing operation access control 
list (ACL) . Generally, the publishing operation ACL's, 
which are described in detail below, are maintained for 
each base document. A publishing operation ACL defines 
the publishing operations that may be performed on the 
document, including working copies, by users that have 
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been -assigned specific roles. Thus,- upon- receipt of a 
request to perform a publishing operation on a document, 
the requesting user's roles are evaluated against the 
publishing operation ACL that is associated with the base 
5 document. The requestor is permitted to perform 

publishing operations on the document to the extent his 
or her roles have been granted privileges to the 
document. For example, if a user is interested in 
performing a check-out operation, he or she issues a 

10 check-out command on the base document. The publishing 
operation ACL associated with the base document is 
referenced to determine whether the user's roles have 
been granted the privilege to check-out. If so, a new 
version of the working copy of the document is created 

15 and the access control list associated with the base 
document is modified to identify that only that 
particular user has privileges to perform a check- in 
operation. 

Figure 5 is a table illustrating values for the 
20 security controls, including security descriptors and 
publishing operation ACL's, that are maintained for an 
exemplary document entitled "foo.doc" as the document 
moves through the various states in the publishing 
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workflow described above in connection with Figure 4. -As 
shown, the table comprises the following columns: 
role/user column 510 which identifies a user or role; 
file column 512 which identifies the name of a file to 
5 which the user or role of column 510 has access; 

publishing operation column 514 which corresponds to the 
publishing operation ACL on the base document and which 
identifies the publishing operation, if any, that the 
role or user of column 510 may perform on the file of 

10 column 512; read write column 515 which corresponds to 

information contained in the security descriptor for the 
document identified in column 512 and which identifies 
whether the user or role identified in column 510 has 
read or write privileges to the file identified in column 

15 512; public folder column 518 which identifies that the 
file listed therein may be accessed by the general 
public; working folder column 520 which identifies that 
the file listed therein resulted from the operation of 
the publishing workflow and access to the document is 

20 restricted; and operation performed column 522 which 
identifies the operations that are performed as a 
document progresses through a document publishing 
workflow. The various states (create 220, in-review 222, 
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in-approve 224,. and approved- 22-8 ) that are represented in 
Figure 4 are similarly identified in Figure 5. 



foo.doc is generally accessible to the public, as 
5 designated in column 516, and may be checked-out by 
members of the public to revise the document, as 
designated in column 514. If a check-out operation is 
performed by a member of the public, a new working copy 
document, foo_l.doc, is created and maintained separate 

10 from the base document foo.doc. The user that checks-out 
the document is considered to be the "owner" of the 
document. The security descriptor associated with 
foo_l.doc is set to indicate, as reflected in column 516, 
that the owner has read and write privileges. It should 

15 be noted that members of the public do not have access to 
the new working copy of the document foo_l.doc and in 
fact, do not have access to any of the subsequent 
versions until the publishing workflow is complete. 
Indeed, public users that are not involved with the 

20 publishing workflow are directed to foo.doc until the 
workflow is complete and a new public document is 
created. The publishing operation ACL associated with the 
base document, foo.doc, is updated, as reflected in 



As shown, in create state 22 0, the document 



25 
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- - column 514,- to indicate that the owner may perform a - 
check- in operation. 

When the owner performs the check- in operation, 
the "in-review" state of the publishing workflow template 
5 is entered and a new version of the working copy document 
entitled foo_2.doc is created. The security descriptor 
associated with foo_2.doc is created, as reflected in 
column 516, to identify that the document owner and those 
users with the reviewer role may view the newly created 

10 foo_2.doc. The public, however, continues to be directed 
to foo.doc and does not even see foo_2.doc. Further, as 
represented in column 514, the publishing operation ACL 
associated with the base document, foo.doc, is updated to 
indicate that the owner and users assigned the reviewer 

15 role have permissions to perform check-out operations . 

When a user with the reviewer role performs a 
check-out operation on foo_2.doc, a new version of 
working copy document, foo_2wc.doc, is created. The 
security descriptor associated with foo_2wc.doc is 

20 updated, as reflected in column 516, to identify that the 
reviewer who checked out foo_2.doc has read and write 
privileges to foo_2wc.doc. Accordingly, when the reviewer 
accesses foo.doc, he or she is directed to foo__2wc.doc. 
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The -document -owner- meanwhile-, continues to-be- directed to- - 

foo_2.doc. Further, as represented in column 514, the 
publishing operation ACL associated with the base 
document, foo.doc, is updated to indicate that the 

5 reviewer has permissions to perform check- in operations 
while the owner has no permissions. 



foo_2wc.doc and performs a check-in operation, in-approve 
state 226 is entered and a new document, foo_3,doc, is 

10 created. The security descriptor related to foo_3.doc 
identifies that the owner, users with the reviewer role, 
and users with the approver role may view the new 
document. Accordingly, if the owner or users with either 
the reviewer or approver role- were to request access to 

15 foo.doc, they will be directed to foo_3.doc- The 

publishing operation ACL associated with base document, 
foo.doc, is updated to indicate that users with the 
approver role may perform a check-out operation. Users 
with the reviewer role no longer have permissions to 

20 perform check- in operations. 



When the reviewer has finished editing 



When a user with the approve role performs a 



check-out operation on foo_3.doc, a new version of the 



working copy document, foo__3wc.doc, is created. As 



27 
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~refl-ected in column 516, the- approver who checked out the- - 
document has permissions to read and write to foo_3wc.doc 
and will automatically be routed to that version when he 
or she accesses foo.doc. The security descriptors 
5 indicate that the document owner and users with the 

reviewer role may access foo_3.doc but not foo_3wc.doc. 
As designated in column 514, the publishing operation ACL 
associated with the base document indicates that the user 
with the approver role that checked out the document has 

10 permissions to perform a check-in operation. The 

document owner and users with the reviewer role do not 
have permissions to perform publishing operations. 

As shown, when the user with the approver role 
performs a check- in, or approve operation, the publishing 

15 workflow is complete and approved state 228 is entered. 
Upon the check-in operation being performed, a new 
version of the document, foo_4.doc, is created. Indeed, 
in a preferred embodiment, the base document is 
overwritten by foo_4-doc. As indicated in column 516, 

20 foo_4,doc is available to the public. This is in 
contrast to the situation at the beginning of the 
workflow wherein the public is directed to the document 
f oo . doc . 
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As the _preceding .example illustrates, during 
the period that a document is undergoing revision in a 
publishing workflow, a separate copy of the base 
document, the working copy document, is maintained. 
5 Thus, the base document is isolated from the several 
versions of the working copy document that are created. 
Security controls are placed on the base document to 
identify which document a user may access as well as to 
identify the operations users may perform on those 

10 documents. Specifically, security descriptors are 

defined for each document and identify which users have 
read and write access to the documents. The security 
descriptor information is used to resolve which- document, 
either base or working copy, a user is directed to upon 

15 receipt of a request to access the document. 

Furthermore, publishing operation ACL's are defined for 
each base document and identify which publishing 
operations, for example, check-out and check- in, a user 
may perform . 

20 Figure 6 is a flow diagram of a process for 

handling user requests to access a document. As shown, 
at step 610, a request to view a document is received. 
At step 612, the security descriptor on the base document 
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is evaluated, to .determine whether the user, or the user' s 
role has read access to the document. If not, at step 
614 the user is denied access to the document. At step 
616 the security descriptor on the base document is 
5 evaluated in light of the user's role and the publishing 
state in which the document is located to determine if 
the user should be directed to the base document or the 
working copy document. If the user or user's role should 
not have access to the working copy as defined by the 

10 publishing model state, at step 618, the base document is 
returned to the user. If the user or user's role should 
have access to the working copy as defined by the 
publishing model state in which the document is located, 
at step 62 0, the most recent version of the working copy 

15 document is returned to the user. 

Figure 7 provides an overview of the process 
for handling user requests to perform a publishing 
operation on a document undergoing revision in a document 
workflow. As shown, at step 710, a request is received 

20 to perform a publishing operation such as, for example a 
check-out operation. At step 712, it is resolved whether 
the user has permission to perform the requested 
operation on the document- The process for making this 
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determination is described below in detail .with reference 
to Figure 8. Generally, however, the resolution is made 
by comparing the requesting user's roles with the 
publishing operation ACL stored in relation with the base 
5 document . 

If at step 712, it is determined that the user 
does not have permissions to perform the desired 
operation, at step 714, permission is denied. If 
however, the user does have permission, at step 716 a new 

10 working copy of the document is created. The security 
descriptor for the new document is created so as to 
designate that the appropriate parties have access to the 
document. For example, if the user is performing a 
check-out operation, which causes a new working copy 

15 document to be generated, the security descriptor 

identifies that the party checking out the document has 
read and write privileges to the document. At step 718, 
the publishing operation ACL on the base document is 
updated to correspond to the changed status of the 

20 document. For example, if the user has requested to 
check-out the document and a new working copy of the 
document has been created, the publishing operation ACL 
associated with the base document is updated to indicated 
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that only the user who has checked .out the. document has _ 
permissions to perform a check- in operation on the 
document. Thereafter, at step 72 0, the user is given 
access to the document and the means to perform the 
5 requested operation. 

Figure 8 provides a flow chart illustrating the 
process for resolving whether a user should be granted 
permission to perform a publishing operation on a 
document. As shown, at step 810, the roles that have 

10 been assigned to the user are identified. At step 812, 
the set of roles that have been assigned to the user are 
compared to the list of role privileges within the 
publishing operation ACL that is associated with the base 
document. If at step 814, one or more of the user's 

15 assigned roles have been granted permission to perform 
the desired operation, at step 816, it is resolved to 
grant permission to perform the operation. If at step 
814, however, none of the user's assigned roles have been 
granted permission to perform the desired operation, at 

20 step 818, it is resolved to deny permission to perform 
the operation. 

As illustrated by the flow diagrams of Figures 
6, 7, and 8, access to documents and document publishing 
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operations -is- controlled- through -the- security, descriptors- - . 

and publishing operation ACL's that are maintained by the 
.system. Security descriptors identify the users that 
have read and write access to the document . The 

5 publishing operation ACL's identify the publishing 
operations that users may perform. 



the component parts of a security descriptor for use in 
the present invention. As shown, a security descriptor 

10 comprises owner identifier 910 and a discretionary access 
control list (DACL) 912. Owner identifier 910 identifies 
the user who created the document. DACL 912 comprises a 
series of structures, which might be referred to as 
access control entry (ACE) structures, wherein each 

15 structure comprises an access allowed/denied identifier 
914, and a security identifier (SID) 916. SID 916 
uniquely identifies a user or role. Access 
allowed/denied identifier 914 specifies whether the user 
or role identified by SID 916 has read or write access to 

20 the particular document. As shown, DACL 912 may comprise 
a plurality of entries. 



Figure 9 provides an illustrative example of 



As described above in relation to Figure 5, the 



documents which a user has permission to access changes 
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as- a document proceeds thorough -a workflow. The- security 
descriptors related to the documents are modified as 
appropriate to institute and enforce these changes. 
Further, when a request is received to access a document, 
5 the appropriate document to which the user should be 
directed is resolved using the security descriptors. 

Figure 10 provides an illustrative example of 
the component parts of a publishing operation ACL for use 
in the present invention. As shown, a publishing 

10 operation ACL comprises a list of structures 1010, 

wherein each structure comprises a global level unique 
identifier (QUID) 1012, a unique security identifier 
(SID) 1014, and an access allowed/denied identifier 1016. 
In one embodiment, structures 1010 may be referred to as 

15 ACE'S, although the ACE's have been extended from those 
defined for DACL's 912. GUID 1012 identifies a 
publishing operation and SID 1014 identifies a role or 
user that has access to the publishing operation 
identified by GUID 1012. In one embodiment, GUID 1012 is 

20 a one-to-one mapping with a unique 128 bit number and an 
associated operation. 

As described above in relation to Figure 5, as 
a document proceeds through a workflow, the operations 
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_ . that, a user or role can perform, on the .document change. . ^ 
Publishing operation ACL's are modified as appropriate to 
institute and enforce these changes. Further, upon 
receipt of a request to perform a publishing operation, 
5 the publishing operation ACL's are referenced to 
determine whether to permit or deny access to the 
requested operation. 

According to an aspect of the invention, the 
systems and methods are extensible to accommodate new 

10 user-defined publishing workflows, new user-defined 

publishing operations, and new user-defined roles. Thus, 
when a new publishing operation is created, it is 
assigned a new GUID 1012. Similarly, when a new role is 
created, it is assigned a new SID 1014. User-defined 

15 QUID'S and SID's may be added to a publishing operation 
ACL to enforce the restrictions instituted in a new 
workflow template as described above. 

Thus, the present invention provides systems 
and methods for providing document isolation in a 

20 workflow environment. According to an aspect of the 

invention, when a revision is made to a document and the 
revision placed in a publishing workflow, a separate 
"working" copy of the original or "base" document is 
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generated. As the document moves, through the workflow, 

new versions of the "working" copy document may also be 



access the original document as well as any versions of 
5 the working copy document, are defined and stored in 
relation to the documents. The security controls 
further define the types of actions users may take with 
respect to the document. Thus, the invention provides 
for systems and methods that reliably control access to 

10 documents and that are extensible to accommodate user- 
defined workflows. These aspects of the invention 
provide that the base document may be made available to 
users to view, even while a revision of the document is 
being approved in a publishing workflow. 

15 Those skilled in the art understand that 

computer readable instructions for performing the above 
described processes can be generated and stored on a 
computer readable medium such as a magnetic disk or CD- 
ROM. Further, a computer such as that described with 

20 reference to Figure 1 may be arranged with other 

similarly equipped computers in a network, and each 
computer may be loaded with computer readable 
instructions for performing the above described 



generated. 



Security controls, which define who may 
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processes. Specifically, referring to Figure 1, 



microprocessor 21 may be programmed to operate in 



accordance with the above -described processes, 



While the invention has been described and 



illustrated with reference to specific embodiments, those 
skilled in the art will recognize that modification and 
variations may be made without departing from the 
principles of the invention as described above and set 
forth in the following claims. In particular, while the 
invention has been described with respect to limiting 
access to documents, the invention may be employed to 
control access to virtually any type of data object 
including folders. Further, while the invention has been 
described in the context of a publishing environment, the 
inventions may apply to other environments as well. 
Accordingly, reference should be made to the appended 
claims as indicating the scope of the invention. 



37 



